The authentication server needs to be correctly configured if administrator authentication uses the Remote Authentication Dial-In User Service (RADIUS).
Prerequisites
An authentication server is available.
Because the RADIUS authentication protocol cannot prevent man-in-the-middle (MITM) attacks, there is an authentication bypass vulnerability. Deploy the RADIUS server in the trusted domain. For security, you are advised to use IPSec tunnels.
Procedure
- Choose .
- Click
.
- On the Modify RADIUS Server page, set RADIUS server parameters that are listed in Table 1.
Table 1 Configuring the RADIUS serverParameter
|
Description
|
Value
|
|---|
Auth mode
|
Mode for the RADIUS server to authenticate administrators.
|
PAP: uses a plain text password and requires two-way handshakes.
Compared with CHAP authentication, it is superior in authentication efficiencies but inferior in security.
CHAP: uses a cipher text password and requires three-way handshakes.
Compared with PAP authentication, it is superior in security but inferior in authentication efficiencies.
Main and spare RAIDIUS servers need to use the same authentication method.
The plain text mode is insecure. The cipher text mode is recommended.
|
Main IP address
|
IP address of the main RADIUS server.
|
–
|
Spare IP address
|
IP address of the spare RADIUS server.
|
–
|
Port
|
Port of the RADIUS server.
|
Main and spare RAIDUS servers need to use the same port.
|
Shared key
|
Encrypts RADIUS authentication packets to safeguard authentication information during transfer.
|
To authenticate the identities of involved parties, the shared key must be the same as the key configured on the RADIUS server.
Main and spare RAIDIUS servers need to use the same shared key.
It is recommended that the shared key contain at least six characters, including uppercase letters, lowercase letters, special characters, and digits.
|
- Click OK.
Copyright © Huawei Technologies Co., Ltd.